summaryrefslogtreecommitdiff
path: root/core/fxge
diff options
context:
space:
mode:
authorDan Sinclair <dsinclair@chromium.org>2017-09-20 14:39:30 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-09-20 18:49:04 +0000
commit0c2e705f8d8dec68c1afc8344872fe8bee527c48 (patch)
treee5d522737fdf19f611fb78e08371548d445be1cc /core/fxge
parent4fe8ea5bba4bd505b5bd35395c68799771b0bd7d (diff)
downloadpdfium-0c2e705f8d8dec68c1afc8344872fe8bee527c48.tar.xz
Add bounds checks in CAgg_PathData::BuildPath
When working with LineTo and BezierTo commands, verify we are within the bounds of the path data before accessing elements. Bug: pdfium:899 Change-Id: Iae9f9f3d0e5dbaf8d5452b86961ab8c79a6210f1 Reviewed-on: https://pdfium-review.googlesource.com/14490 Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'core/fxge')
-rw-r--r--core/fxge/agg/fx_agg_driver.cpp32
1 files changed, 17 insertions, 15 deletions
diff --git a/core/fxge/agg/fx_agg_driver.cpp b/core/fxge/agg/fx_agg_driver.cpp
index b01987fc6b..5e0308c551 100644
--- a/core/fxge/agg/fx_agg_driver.cpp
+++ b/core/fxge/agg/fx_agg_driver.cpp
@@ -1072,7 +1072,7 @@ void CAgg_PathData::BuildPath(const CFX_PathData* pPathData,
if (point_type == FXPT_TYPE::MoveTo) {
m_PathData.move_to(pos.x, pos.y);
} else if (point_type == FXPT_TYPE::LineTo) {
- if (pPoints[i - 1].IsTypeAndOpen(FXPT_TYPE::MoveTo) &&
+ if (i > 0 && pPoints[i - 1].IsTypeAndOpen(FXPT_TYPE::MoveTo) &&
(i == pPoints.size() - 1 ||
pPoints[i + 1].IsTypeAndOpen(FXPT_TYPE::MoveTo)) &&
pPoints[i].m_Point == pPoints[i - 1].m_Point) {
@@ -1080,21 +1080,23 @@ void CAgg_PathData::BuildPath(const CFX_PathData* pPathData,
}
m_PathData.line_to(pos.x, pos.y);
} else if (point_type == FXPT_TYPE::BezierTo) {
- CFX_PointF pos0 = pPoints[i - 1].m_Point;
- CFX_PointF pos2 = pPoints[i + 1].m_Point;
- CFX_PointF pos3 = pPoints[i + 2].m_Point;
- if (pObject2Device) {
- pos0 = pObject2Device->Transform(pos0);
- pos2 = pObject2Device->Transform(pos2);
- pos3 = pObject2Device->Transform(pos3);
+ if (i > 0 && i + 2 < pPoints.size()) {
+ CFX_PointF pos0 = pPoints[i - 1].m_Point;
+ CFX_PointF pos2 = pPoints[i + 1].m_Point;
+ CFX_PointF pos3 = pPoints[i + 2].m_Point;
+ if (pObject2Device) {
+ pos0 = pObject2Device->Transform(pos0);
+ pos2 = pObject2Device->Transform(pos2);
+ pos3 = pObject2Device->Transform(pos3);
+ }
+ pos0 = HardClip(pos0);
+ pos2 = HardClip(pos2);
+ pos3 = HardClip(pos3);
+ agg::curve4 curve(pos0.x, pos0.y, pos.x, pos.y, pos2.x, pos2.y, pos3.x,
+ pos3.y);
+ i += 2;
+ m_PathData.add_path_curve(curve);
}
- pos0 = HardClip(pos0);
- pos2 = HardClip(pos2);
- pos3 = HardClip(pos3);
- agg::curve4 curve(pos0.x, pos0.y, pos.x, pos.y, pos2.x, pos2.y, pos3.x,
- pos3.y);
- i += 2;
- m_PathData.add_path_curve(curve);
}
if (pPoints[i].m_CloseFigure)
m_PathData.end_poly();